Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 Routing Question

Basically, I want to know if this is possible with an ASA5510.

I know in my experience, I've been able to do some internal subnet routing with the ASA's, but for some reason I can't get this one to work.

Basically, I have an internal network of that I want to have a route to another external network of 162.xx.xx.0 for which there is a router on site. Unfortunately I have no access to that router, and the owner of it will NOT change the config, period.

Currently the only way to use that router and transmit data through it is to use separate computers on a 162.xx.xx.0 subnet.

The client would like to use 192.xx.xx.0 machines to access that network, as well as the VPN users on the network.

I have added a static route to the 162.xx.xx.0 network pointing to 162.xx.xx.1 which is the internal IP of the untouchable router.

I also added ACL entries to allow traffic between and 162.xx.xx.0 as well as a static (inside,inside) statement for 162.xx.xx.0

What else am I missing, or is this even possible?

I know just adding an internal router into the equation is the easiest solution, but I'd like to avoid that if possible.

Diagram of network is attached.

Any ideas?

Hall of Fame Super Blue

Re: ASA 5510 Routing Question


Could you clarify something -

The device that the ASA and the router connect into in your diagram- is that a L2 switch. If so this won't work simply because for the ASA to route between the subnets it needs an interface in both subnets and it only has an interface in the network.

If it is L2 it looks like you are running 2 completely separate networks on the same switch. With that setup as i say, it will never work. You could look to use subinterfaces on the ASA or just another interface and give it an address from the 162.x.x.x network and then make the connection from the switch to the ASA a trunk connection. But this is assuming a lot of things.

Who controls the switch and can it be reconfigured.

What is the switch make and type ?


New Member

Re: ASA 5510 Routing Question

It is an HP ProCurve, not sure of the model number without having it front of me, this is a remote consulting client of our's.

What you said is right though, not sure why I didn't see it before, and I figured out why my previous internal routing configuration worked since it was a slightly different situation.

At this point, my recommendation is going to be to just drop an 1841 or similar router in there and that should make it much easier to route the traffic.

After that, it's just a matter of getting the VPN clients working.

Hall of Fame Super Blue

Re: ASA 5510 Routing Question


An 1841 would work fine. Presumably you would connect this to the HP ProCurve and then have one interface in the 165.x.x.x network and one in the network ?

If so be aware that the existing router may well not have a route to your or 172.16.x.x VPN subnets so you will need to NAT all source IPs to the 165.x.x.x interface address on the 1841 as the traffic goes to the existing router.


New Member

Re: ASA 5510 Routing Question

Yes, that would be the expected configuration.

I had also considered what you said about the existing router configuration, so that would take some configuring as well to get both the 192 and 172 subnets talking to the 162 network, but it could be done.

This all would be much easier if we had access/ownership of the existing router, but being a police department it is a Department of Law Enforcement private network and they do not adjust their equipment configuration.